Plenty of people have been checking out our guide to services that support two-factor authentication. That’s excellent from a security perspective, but a question has popped up which is worth addressing separately: what happens if you’re using a system that relies on your mobile phone and you lose the phone itself?
Picture by Michael Coghlan
A quick primer: two-factor authentication relies on you using both something you know (a password) and something you have (in this example, a one-time access code sent to your phone). If you misplace your phone, that doesn’t put any accounts using two-factor authentication at risk directly. After all, even if someone has your phone, they don’t have your main password. However, it does place you in a bind: you can’t access anything because you don’t have your phone.
This is a nuisance, but it is not an intractable problem. At a very basic level, if you’ve misplaced your phone permanently, chances are you’ll try and get the same number reassigned by your carrier. Once that happens, you’ll have access to codes sent to that phone.
You don’t have to wait, however. Typically, services will offer a number of recovery options for people who either don’t have their phone or who can’t receive messages (which might happen if you’re overseas). These can include:
- If you’re already signed into a service on another device, you may be able to disable two-factor authentication. (This will work if a service only verifies your identity every 30 days a la Google or when you attach a new device a la Dropbox, but not for services that require a code every time you sign in.)
- Many services provide you with a backup code which can be entered if two-factor authentication isn’t an option. This will only be supplied once at signup, so make sure you take note of it and keep it somewhere secure.
- Some services (such as Google) allow you to specify a backup phone where codes can be sent. This could be a partner or family member.
- If those options fail, there will usually be some form of recovery service available. This can take time to process, however, so it’s worth the effort of setting up one of the other approaches ahead of time.
To find the specifics for an individual service, check its help section. Whatever approach you use, make sure you re-enable two-factor authentication once you do have a replacement phone.